eslint-plugin-secure-coding 2.3.4 → 2.4.0

package/src/rules/no-weak-crypto/index.js

@@ -1,351 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.noWeakCrypto = void 0;
-const eslint_devkit_1 = require("@interlace/eslint-devkit");
-const eslint_devkit_2 = require("@interlace/eslint-devkit");
-const WEAK_CRYPTO_PATTERNS = [
-    {
-        pattern: /\bmd5\b/i,
-        name: 'MD5',
-        category: 'hash',
-        alternatives: ['SHA-256', 'SHA-512', 'SHA-3'],
-        example: {
-            bad: 'crypto.createHash("md5").update(data)',
-            good: 'crypto.createHash("sha256").update(data)'
-        },
-        effort: '5 minutes'
-    },
-    {
-        pattern: /\bsha1\b/i,
-        name: 'SHA-1',
-        category: 'hash',
-        alternatives: ['SHA-256', 'SHA-512', 'SHA-3'],
-        example: {
-            bad: 'crypto.createHash("sha1").update(data)',
-            good: 'crypto.createHash("sha256").update(data)'
-        },
-        effort: '5 minutes'
-    },
-    {
-        pattern: /\bdes\b/i,
-        name: 'DES',
-        category: 'encryption',
-        alternatives: ['AES-256', 'ChaCha20-Poly1305'],
-        example: {
-            bad: 'crypto.createCipher("des", key)',
-            good: 'crypto.createCipheriv("aes-256-gcm", key, iv)'
-        },
-        effort: '15 minutes'
-    },
-    {
-        pattern: /\b3des\b|\btripledes\b/i,
-        name: '3DES',
-        category: 'encryption',
-        alternatives: ['AES-256', 'ChaCha20-Poly1305'],
-        example: {
-            bad: 'crypto.createCipher("des-ede3", key)',
-            good: 'crypto.createCipheriv("aes-256-gcm", key, iv)'
-        },
-        effort: '15 minutes'
-    },
-    {
-        pattern: /\brc4\b/i,
-        name: 'RC4',
-        category: 'encryption',
-        alternatives: ['AES-256', 'ChaCha20-Poly1305'],
-        example: {
-            bad: 'crypto.createCipher("rc4", key)',
-            good: 'crypto.createCipheriv("aes-256-gcm", key, iv)'
-        },
-        effort: '15 minutes'
-    }
-];
-/**
- * Check if a string contains a weak crypto algorithm
- */
-function containsWeakCrypto(value, additionalPatterns) {
-    // Check standard patterns
-    for (const pattern of WEAK_CRYPTO_PATTERNS) {
-        if (pattern.pattern.test(value)) {
-            return pattern;
-        }
-    }
-    // Check additional patterns
-    for (const additionalPattern of additionalPatterns) {
-        const regex = new RegExp(`\\b${additionalPattern}\\b`, 'i');
-        if (regex.test(value)) {
-            return {
-                pattern: regex,
-                name: additionalPattern,
-                category: 'hash',
-                alternatives: ['SHA-256', 'SHA-512'],
-                example: {
-                    bad: `crypto.createHash("${additionalPattern}").update(data)`,
-                    good: 'crypto.createHash("sha256").update(data)'
-                },
-                effort: '10 minutes'
-            };
-        }
-    }
-    return null;
-}
-/**
- * Generate refactoring suggestions based on the weak crypto pattern
- */
-function generateRefactoringSteps(pattern, context) {
-    const suggestions = [];
-    if (pattern.category === 'hash') {
-        suggestions.push({
-            messageId: 'useSha256',
-            fix: `Use SHA-256: crypto.createHash("sha256").update(${context})`
-        });
-    }
-    else if (pattern.category === 'encryption') {
-        suggestions.push({
-            messageId: 'useAes256',
-            fix: `Use AES-256-GCM: crypto.createCipheriv("aes-256-gcm", key, iv)`
-        });
-    }
-    if (pattern.category === 'password') {
-        suggestions.push({
-            messageId: 'useBcrypt',
-            fix: 'Use bcrypt: bcrypt.hash(password, 10)'
-        });
-        suggestions.push({
-            messageId: 'useScrypt',
-            fix: 'Use scrypt: crypto.scrypt(password, salt, 64)'
-        });
-        suggestions.push({
-            messageId: 'useArgon2',
-            fix: 'Use Argon2: argon2.hash(password)'
-        });
-    }
-    return suggestions;
-}
-exports.noWeakCrypto = (0, eslint_devkit_2.createRule)({
-    name: 'no-weak-crypto',
-    meta: {
-        type: 'problem',
-        deprecated: true,
-        replacedBy: ['@see eslint-plugin-crypto for 24 crypto security rules'],
-        docs: {
-            description: 'Detects use of weak cryptography algorithms (MD5, SHA1, DES)',
-        },
-        hasSuggestions: true,
-        messages: {
-            weakCrypto: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.SECURITY,
-                issueName: 'Weak cryptography',
-                cwe: 'CWE-327',
-                description: 'Use of weak cryptography algorithm: {{algorithm}}',
-                severity: 'CRITICAL',
-                fix: '{{safeAlternative}}',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Weak_Cryptography',
-            }),
-            useSha256: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use SHA-256',
-                description: 'Use SHA-256 for hashing',
-                severity: 'LOW',
-                fix: 'crypto.createHash("sha256").update(data)',
-                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatehashmethod-options',
-            }),
-            useBcrypt: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use bcrypt',
-                description: 'Use bcrypt for password hashing',
-                severity: 'LOW',
-                fix: 'bcrypt.hash(password, 10)',
-                documentationLink: 'https://github.com/kelektiv/node.bcrypt.js',
-            }),
-            useScrypt: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use scrypt',
-                description: 'Use scrypt for password hashing',
-                severity: 'LOW',
-                fix: 'crypto.scrypt(password, salt, 64)',
-                documentationLink: 'https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback',
-            }),
-            useArgon2: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use Argon2',
-                description: 'Use Argon2 for password hashing',
-                severity: 'LOW',
-                fix: 'argon2.hash(password)',
-                documentationLink: 'https://github.com/ranisalt/node-argon2',
-            }),
-            useAes256: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Use AES-256-GCM',
-                description: 'Use AES-256-GCM for encryption',
-                severity: 'LOW',
-                fix: 'Use crypto.createCipheriv("aes-256-gcm", key, iv)',
-                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatecipherivalgorithm-key-iv-options',
-            }),
-            strategyAuto: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Auto-fix Strategy',
-                description: 'Automatically suggest the best replacement',
-                severity: 'LOW',
-                fix: 'Apply automatic fix suggestion',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Weak_Cryptography',
-            }),
-            strategyUpgrade: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Upgrade Strategy',
-                description: 'Upgrade to a stronger algorithm',
-                severity: 'LOW',
-                fix: 'Replace weak algorithm with stronger alternative',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Weak_Cryptography',
-            }),
-            strategyMigrate: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Migration Strategy',
-                description: 'Plan migration to stronger cryptography',
-                severity: 'LOW',
-                fix: 'Create migration plan for cryptographic upgrade',
-                documentationLink: 'https://owasp.org/www-community/vulnerabilities/Weak_Cryptography',
-            }),
-            strategyPolicy: (0, eslint_devkit_1.formatLLMMessage)({
-                icon: eslint_devkit_1.MessageIcons.INFO,
-                issueName: 'Policy Strategy',
-                description: 'Apply organizational security policy',
-                severity: 'LOW',
-                fix: 'crypto.createCipheriv("aes-256-gcm", key, iv)',
-                documentationLink: 'https://nodejs.org/api/crypto.html#cryptocreatecipherivalgorithm-key-iv-options',
-            }),
-        },
-        schema: [
-            {
-                type: 'object',
-                properties: {
-                    allowInTests: {
-                        type: 'boolean',
-                        default: false,
-                        description: 'Allow weak crypto in test files',
-                    },
-                    additionalWeakAlgorithms: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: [],
-                        description: 'Additional weak algorithms to detect',
-                    },
-                    trustedLibraries: {
-                        type: 'array',
-                        items: { type: 'string' },
-                        default: ['crypto', 'crypto-js'],
-                        description: 'Trusted crypto libraries',
-                    },
-                },
-                additionalProperties: false,
-            },
-        ],
-    },
-    defaultOptions: [
-        {
-            allowInTests: false,
-            additionalWeakAlgorithms: [],
-            trustedLibraries: ['crypto', 'crypto-js'],
-        },
-    ],
-    create(context, [options = {}]) {
-        const { allowInTests = false, additionalWeakAlgorithms = [], trustedLibraries = ['crypto', 'crypto-js'], } = options;
-        const filename = context.getFilename();
-        const isTestFile = allowInTests && /\.(test|spec)\.(ts|tsx|js|jsx)$/.test(filename);
-        /**
-         * Check if a call expression uses weak crypto
-         */
-        function checkCallExpression(node) {
-            if (isTestFile) {
-                return;
-            }
-            // Check for crypto.createHash, crypto.createCipher, etc.
-            if (node.callee.type === 'MemberExpression') {
-                // Check if it's a crypto method call (e.g., crypto.createHash, crypto.createCipher)
-                if (node.callee.object.type === 'Identifier' &&
-                    node.callee.property.type === 'Identifier') {
-                    const objectName = node.callee.object.name;
-                    const methodName = node.callee.property.name;
-                    // Check if it's a crypto method from a trusted library
-                    const isCryptoMethod = (methodName === 'createHash' ||
-                        methodName === 'createCipher' ||
-                        methodName === 'createCipheriv') &&
-                        (trustedLibraries.includes(objectName) || objectName === 'crypto');
-                    if (isCryptoMethod) {
-                        // Check arguments for weak algorithms
-                        for (const arg of node.arguments) {
-                            if (arg.type === 'Literal' && typeof arg.value === 'string') {
-                                const weakPattern = containsWeakCrypto(arg.value, additionalWeakAlgorithms);
-                                if (weakPattern) {
-                                    const safeAlternative = weakPattern.alternatives[0];
-                                    const refactoringSteps = generateRefactoringSteps(weakPattern, 'data');
-                                    context.report({
-                                        node: arg,
-                                        messageId: 'weakCrypto',
-                                        data: {
-                                            algorithm: weakPattern.name,
-                                            safeAlternative: `Use ${safeAlternative}: ${weakPattern.example.good}`,
-                                        },
-                                        suggest: refactoringSteps.map(step => ({
-                                            messageId: step.messageId,
-                                            fix: (fixer) => {
-                                                // Replace the weak algorithm with a safe one
-                                                if (weakPattern.category === 'hash') {
-                                                    return fixer.replaceText(arg, `"sha256"`);
-                                                }
-                                                else if (weakPattern.category === 'encryption') {
-                                                    return fixer.replaceText(arg, `"aes-256-gcm"`);
-                                                }
-                                                return null;
-                                            },
-                                        })),
-                                    });
-                                }
-                            }
-                        }
-                    }
-                }
-            }
-            // Check for standalone crypto function calls (e.g., createHash, createCipher)
-            if (node.callee.type === 'Identifier') {
-                const calleeName = node.callee.name;
-                // Check for common crypto library patterns
-                if (calleeName === 'createHash' || calleeName === 'createCipher' || calleeName === 'createCipheriv') {
-                    for (const arg of node.arguments) {
-                        if (arg.type === 'Literal' && typeof arg.value === 'string') {
-                            const weakPattern = containsWeakCrypto(arg.value, additionalWeakAlgorithms);
-                            if (weakPattern) {
-                                const safeAlternative = weakPattern.alternatives[0];
-                                context.report({
-                                    node: arg,
-                                    messageId: 'weakCrypto',
-                                    data: {
-                                        algorithm: weakPattern.name,
-                                        safeAlternative: `Use ${safeAlternative}: ${weakPattern.example.good}`,
-                                    },
-                                    suggest: [
-                                        {
-                                            messageId: weakPattern.category === 'hash' ? 'useSha256' : 'useAes256',
-                                            fix: (fixer) => {
-                                                if (weakPattern.category === 'hash') {
-                                                    return fixer.replaceText(arg, `"sha256"`);
-                                                }
-                                                else if (weakPattern.category === 'encryption') {
-                                                    return fixer.replaceText(arg, `"aes-256-gcm"`);
-                                                }
-                                                return null;
-                                            },
-                                        },
-                                    ],
-                                });
-                            }
-                        }
-                    }
-                }
-            }
-        }
-        return {
-            CallExpression: checkCallExpression,
-        };
-    },
-});